diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2018-02-26 18:06:38 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-02-26 18:06:38 +0000 |
commit | c26d93904216646cc01b1228a048ac73b37c3240 (patch) | |
tree | f0b9026cb10d9d270231e647c78988abfe516537 | |
parent | f469ebae8604bc756259c7305f8cb7617ca18ddc (diff) | |
parent | 9f30f3bbf30b7de0ad3850171db968ae12a6caf0 (diff) | |
download | core-c26d93904216646cc01b1228a048ac73b37c3240.tar.gz |
Snap for 4565141 from 9f30f3bbf30b7de0ad3850171db968ae12a6caf0 to oc-m4-releaseandroid-8.1.0_r23oreo-m4-s1-release
Change-Id: Ic7a8f8ce92e39048b4e84f44cc8036c2f5a9c875
-rw-r--r-- | libnetutils/packet.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libnetutils/packet.c b/libnetutils/packet.c index e53a4c84f..9ecdd4f4e 100644 --- a/libnetutils/packet.c +++ b/libnetutils/packet.c @@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg) * to construct the pseudo header used in the checksum calculation. */ dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); + /* + * check validity of dhcp_size. + * 1) cannot be negative or zero. + * 2) src buffer contains enough bytes to copy + * 3) cannot exceed destination buffer + */ + if ((dhcp_size <= 0) || + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { +#if VERBOSE + ALOGD("Malformed Packet"); +#endif + return -1; + } saddr = packet.ip.saddr; daddr = packet.ip.daddr; nread = ntohs(packet.ip.tot_len); |